On 24 July 2013, a high-speed train travelling at around 190km/h, on its way from Madrid to Ferrol, derailed on a sharp curve three miles from Santiago de Compostela in northern Spain. The train was travelling at twice the permitted speed limit of 80km/h. Eighty people were killed and 144 were injured. The horrifying derailment, subsequent carnage, and twisted carriages, were captured by security video cameras on the route, and widely broadcast in the media.
A year on, The Independent newspaper’s headline about Spain’s deadly train crash reflected a predictable outcome: ‘Spanish train crash: Driver facing 80 homicide charges, but rail bosses cleared’. There was an obvious focus on human error.
The driver, José Garzón Amo, was reported to have been on the phone talking to colleagues just before the crash. In isolation, this piece of information immediately primes us to believe the driver was to blame – after all, he must have been distracted.
We are conveniently steered down a path of blame, well-beaten by common media biases. The train was clearly derailed as a direct result of his lack of attention; it was his fault that 80 people lost their lives, and so many others were injured; the man responsible should be punished; the rail bosses were blameless, sitting innocently in their offices. These assumptions all follow from the initial presentation of selected facts. If you dig a little deeper, however, the true picture begins to emerge.
What safety systems were in place to prevent distraction from derailing a train in the first place? There is a bigger question here too: whether a person responsible for the safe transit of hundreds of lives should ever be put in a situation where a lapse of attention can cause a major accident. By establishing the full, situational context, we can better gauge the role of José’s distraction in this awful tragedy. If an experienced driver like José could suffer a lapse with such terrible consequences, so could other drivers.
The initial investigation was conducted by Spain’s Railway Accident Investigation Commission (Ciaf). Ciaf, part of the Transport Ministry in Spain, predictably cited driver error as the sole cause of the derailment. However, their recommendations ignored a critical factor: the lack of a working on-board European Train Control System (ETCS) designed to assist the driver. It was left to a separate, judicial investigation to highlight the contributory role of ETCS.
At high speed there is a greater need to display information to the driver electronically in the cab. Lineside signals and speed signage can become a mere blur, rendering them very difficult to interpret. On the 424km-long high-speed line in question, there are 31 tunnels and 38 viaducts. Where a train is constantly running in and out of tunnels, a driver may also start to find it difficult to know exactly where he is on the route.
Just imagine travelling down a monotonous stretch of motorway in your car at twice the speed limit and attempting to read the signage. This will give you some idea of the additional difficulties faced in assimilating safety information at high speed, whilst retaining a sense of where you are physically. Your brain will inevitably start to struggle the faster you go. For driving a train at high speed, some technological assistance starts to become a necessity, especially when we are talking about the safe transit of hundreds of lives.
The on-board ETCS had actually been switched off back in 2012. At the time, Renfe, the train operator, had cited operating problems. In response, Adif, the infrastructure manager, had granted permission to switch the system off, and it was not working on the day of the crash.
The probability of an accident based on an analysis of the circumstances which led to the derailment has been estimated by the judicial investigation report to be around every six months. In other words, far too often! How might ETCS have made any difference?
On the approach to the curve, the train was travelling at 200km/h. ETCS, had it been fully functioning, would have started to alert the driver of the transition several kilometres before – a little bit like when a satellite navigation system in your car alerts you to a junction ahead. In this case, a text message on the screen of the Driver Machine Interface (DMI) in the cab would have initially announced the transition.
A short while later, a message with a difficult-to-ignore yellow flashing frame would have emitted an audible signal. The driver would then have been asked to acknowledge this by tapping on the screen. After five seconds, the brakes would automatically have been applied until an acknowledgement had been received, or the train had stopped.
In other words, ETCS was designed for exactly the sort of scenario José found himself in that day: approaching a curve at high speed, and at risk of succumbing to distraction – a very ordinary human failing.
One independent telecommunications expert has said that a fully functional DMI “would have sufficed to ensure his focus was again on the line, increasing his situational awareness”. The effect would have been to remind José in good time that the train was approaching a sharp curve at more than double the maximum permitted speed. He would have had 4km to respond and reduce the train speed from 200km/h to 80km/h or less.
Even with a distracted driver, and no alert system to improve his situational awareness, a more robust safety system would have added another line of defence. A gaping hole was left in the system’s safety defences by not installing the European Rail Traffic Management System (ERTMS) to provide automatic braking on this particular section of track. ERTMS was in fact installed on most of the high-speed track in the region. It would have greatly reduced the risk of human error causing a derailment near Santiago de Compostela. The track at the accident site used older-generation signalling technology which could not override the driver’s control.
Both the accident and subsequent loss of lives just may have been prevented by a robust, confidential reporting system available to train drivers, engineers and other safety professionals in the Spanish railways. One key safety defence, ETCS, had consciously been switched off in 2012. And in this particular accident, the last line of safety defence was the driver – it needn’t have been.
A more effectively designed system would have ensured that automatic braking became the last line of defence instead. These holes-in-defences can be picked up by confidential reporting, especially where the safety culture has a tendency to emphasise performance at the expense of safety and staff report it.